Uplevel Security Uplevel Incident Analysis and Resolution

Uplevel Security Uplevel Incident Analysis and Resolution

The best way that we know to describe Uplevel Security's platform is that it is cyberthreat intelligence made actionable. Keeping it simple for a moment – and it's not, really, this simple – the tool provides a convergence of threat intelligence and incident data to make very rapid decisions about what actions to take.

To do this, Uplevel starts with data – preferably, lots of it – about the cyber threatscape. It mixes in data about threats against your enterprise. Then it applies some very sophisticated analytics and comes up with a course of action for you.

From the external threat feeds via APIs there is automated threat intelligence brought into the tool. Additionally, you can enter data manually and you can feed from a tool, such as Splunk, where you can get a retrospective of events over time. This is important for determining whether or not you are seeing anomalistic behavior or a pattern of ongoing probes and attacks. Since this is derived from a variety of sources, the potential for enrichment of real-time analytics is significant.

On the other side of the picture – ingesting malicious behavior on your enterprise – you can integrate with a SIEM. This gives you data from various sensors and sensor types around your enterprise. A popular way to do this is, again, with Splunk. You can enter incidents manually, of course, but that is not efficient in a large enterprise where there might be numerous events that look like incidents initially. You also run a significant risk of missing subtle incidents – or, events that turn into incidents eventually – simply because your view of your attack surface is limited. Uplevel solves this problem and is, in our view, the embodiment of the axiom that you never can have too much data. The result of this approach is up to an 80 percent reduction in time to identify and clear an incident.

Uplevel identifies and collects indicators and associates those indicators with a variety of data. Some of the data – such as whois, for example – comes from outside. Some is historical on your enterprise through look-backs.

Two of the big challenges for a sophisticated tool such as this one are organization and visualization. There is so much data that organizing it into useful chunks can be challenging. There is an old – but true – saw that claims data leads to information which, in turn, leads to knowledge that finally becomes wisdom. In this case, there is a real risk of stopping at the information level, if not being stuck at the data level. This is a good example of how Uplevel has combined serious analytics with organization to get a useful visualization.

Analysts can see and manipulate data in a variety of ways. Viewing indicators as standalone entities, as part of the kill chain or in tables and graphs is the analyst's choice. Once the pieces are all in place, graphs take over. So, hang on, this gets a bit deep. But, as we discovered, this is the real deal, not marketing hype.

Graph theory is a mathematical way of analyzing lots of data from lots of sources and making sense of it. We've actually heard data scientists refer to this as “sense-making.” Once that is done it remains to present the information in ways that make it consumable by the user without inflicting too much pain. Since we are using graphs for analysis, why not use them for visualization as well. That is what has been done here. We were able to make associations within an incident visually very quickly. You will see separate graphs for alert and incident prioritization, investigative analysis and remediation and mitigation. Within each graph, you also see the sources of the data so from an audit – or, “how-do-you-know?” – perspective, it's all right there for you.

Documentation for this tool exceeded our expectations. Support, as well, is excellent, with basic support included and premium support available for a fee. The hardware for this is significant with eight cores and 64 GB of RAM the required minimum. As well, the product image is on three 4TB disks so it does take a bit of space. The vendor recommends solid state drives.

We liked this one for its high level of sophistication – sophistication that the company was willing to discuss. Because we have experience in such advanced analytics as graph theory the description made perfect sense to us. Watching the product detect and analyze an incident demonstrated how the analytics work in a real situation. Overall, we expect to see more from this company and it certainly lives up to our expectations when we looked at it previously as an Innovator.

What we liked We are analytics freaks in general and graph theory freaks in particular around the SC Labs, so this tool really hit home for us. Its next-gen analytics are superb and very well-presented.

The bottom line No matter what other tools you have monitoring your network, and no matter to what threat feeds you subscribe, you will find a lot to like about this tool and the impact it can have on your incident management. It is a serious force-multiplier for SIEMs in general and Splunk in particular, not to mention your other threat management/intelligence resources.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.